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ABSTRACT 



The public key, either short term "session" key or long term 
key, is generated by combining a pair of components. A first 
component is obtained by utilizing an integer with a rela- 
tively low Hamming weight as an exponent to facilitate 
exponentiation. The second component is a precomputed 
secret value that is of the form resulting from the exponen- 
tiation of the generator of the group element by an integer 
that has the requisite Hamming weight. The two components 
are combined to provide the public key and the two expo- 
nents combined to provide the corresponding private key. 

13 Claims, 4 Drawing Sheets 
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GENERATION OF SESSION KEYS FOR EL 
GAMAL-LIKE PROTOCOLS FROM LOW 
HAMMING WEIGHT INTEGERS 

CROSS REFERENCE TO RELATED 
APPLICATIONS 

This application is a Continuation-in-Part of U.S. appli- 
cation Ser. No. 08/728,260. filed Oct. 10, 1996, now aban- 
doned. 

BACKGROUND OF THE INVENTION 

The present invention relates to public key encryption 
systems and more particularly to the generation of session 
parameters for use with public key protocols. 

Public key data encryption systems are well-known and 
the more robust are based upon the intractability of the 
discrete log problem in a finite group. Such public key 
encryption systems utilize a group element and a generator 
of the group. Ilie generator is an element from which each 
other group element can be obtained by repeated application 
of the underlying group operation, ie. repeated composition 
of the generator. Conventionally, this is considered to be an 
exponentiation of the generator to an integral power and 
may be manifested as a k fold multiplication of the generator 
or a k fold addition of the generator depending upon the 
underlying group operation. In such a public key encryption 
system, an integer k is used as a private key and is main- 
tained secret. A corresponding public key is obtained by 
exponentiating the generator a with the integer k to provide 
a public key in the form The value of the integer k cannot 
be derived even though the value a* is known. 

The public and private keys may be utilized in a message 
exchange where one of the correspondents may encrypt the 
data with the recipient's public key a*. The recipient 
receives the encrypted message and utilizes his private key 
k to decrypt the message and retrieve the contents. Inter- 
ception of the message will not yield the contents as the 
integer k cannot be derived. 

A similar technique may be utilized to verify the authen- 
ticity of a message by utilizing a digital signature. In this 
technique, the transmitter of the message signs the message 
with a private key k and a recipient can verify that the 
message originated from the transmitter by decrypting the 
message with the transmitter's public key a*. A comparison 
between a function of the plain text message and of the 
recovered message confirms the authenticity of the message. 

In both techniques, it is necessary to perform the expo- 
nentiation of the group element a. To be secure, k must be 
a relatively large number and the exponentiation can there- 
fore be relatively long. Where the exponent is used as a 
long-term public key, the time of computation is not of 
undue concern. However, in digital signature schemes, a 
short term session key is utilized together with the long-term 
public key. Each message is signed with a different private 
key k and the corresponding public session key a* has to be 
computed and transmitted with the message. There is there- 
fore the need for some efficiency in the exponentiation. 

The computing time for the exponentiation can be 
reduced by utilizing an integer exponent k having a rela- 
tively low Hamming weight — that is, the number of I's in 
the binary representation of the integer is kept low or 
analogously in another radix, the exponent has few non-zero 
coefficients. However, integers having low Hamming 
weights are considered vulnerable to various attacks, includ- 
ing a square root attack, and so their use in encryption 
protocols is not encouraged. 
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SUMMARY OF THE INVENTION 

It is therefore an object of the present invention to provide 
a method of computing the session parameters for public key 

^ exchange protocols that obviates or mitigates the above 
disadvantages. 

In general terms, the present invention provides a method 
of computing an exponent for use in a public key exchange 
protocol in which an integer k' is selected, having a Ham- 

jo naing weight less than a predetermined value. An exponen- 
tiation with the generator a is performed and the resuUant 
intermediate session parameter a** is mathematically com- 
bined with a secret value y. y is derived from a random 
integer i which has a Hamming weight greater than the 

j5 predetermined value. The mathematical combination of y 
with the intermediate session parameter produces a session 
parameter whose exponent has a Hamming weight greater 
than the predetermined value and as such is considered 
computationally secure. 

20 Conveniently, the secret value y can be precomputed so 
that the real time exponentiation is confined to the genera- 
tion of the exponent that utilizes the integer k'. 

The method may be used with the multiplicative group 
Z*p or may be utilized with other groups such as elliptic 

25 curves over a finite field. 

BRIEF DESCRIPTION OF THE DRAWING 

Embodiments of the invention will now be described by 
way of example only with reference to the accompanying 
drawings, in which: 

FIG. 1 is a schematic representation of a data communi- 
cation system; 

FIG. 2 is a flow chart showing the generation of the 
35 session parameters in the multiplicative group Z*^; 

FIG. 3 is a flow chart showing the generation of the 
session parameters in the elliptic curve. 

FIG, 4 is a flow chart similar to FIG. 3 of an alternative 
embodiment of the generation of session parameters; and 

40 

FIG. 5 is a flow chart showing a further embodiment of 
generation of session parameters. 

DETAILED DESCRIPTION OF THE 
PREFERRED EMBODIMENTS 

45 

Referring therefore to FIG. 1, a data communication 
system 10 includes a pair of correspondents 12,14 respec- 
tively. Each of the correspondents 12,14 can generate a 
message M and forward it through a communication link 16 

5Q to the other correspondent and each have an encryption/ 
decryption module 18 to process the message M prior to 
transmission and upon receipt. 

In order to permit the correspondent 14 to verify that a 
message has been generated by the conespondent 12, vari- 

55 ous protocols have been derived that permit signature of the 
message M and subsequent verification upon receipt of the 
transmitter of the message. For the purposes of illustration, 
a simple El Gamal-type protocol for signing the message M 
will be utilized although it will be understood that other 

60 more sophisticated protocols may be utilized and similar 
advantages obtained. Likewise, the generation of session 
parameters may be used for Diffie Hellman encryption 
schemes other than digital signatures. 

As illustrated schematically in FIG. 2, in order to sign the 

65 message M, the correspondent 12 selects an integer k' from 
an integer generator 20 and checks it at comparator 22 to 
ensure it has a Hamming weight of less than a predetermined 
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level that would normally be considered computationally A secret value y is precomputed from an integer i which 

insecure. For example, with a field of 155, an integer k' is randomly generated and has a Hamming weight of greater 

having a Hamming weight of less than 15 could be used. If than the predetermined value. The value of y is obtained 

necessary, a random number can be generated and the from the i fold addition of the point P, ie. a=iP, and a and 
Hamming weight can be adjusted at a comb 24 to ensure that 5 I are stored in tabic 28a. 

it is below the predetermined value that facilitates the xhe intermediate session parameter k'P and the secret 

computation. value iP are then added to arithmetic processor 30a to obtain 

A k' fold composition of the generator a is then per- the new point kP. The integer k may be computed in the 

formed. For a pubhc key system using a multiplicative group processor 30a by the transmitter 12 from the addition of k' 

of the integers mod p, where p is a prime, ie. Z^, the and i and the resultant signature prepared in the encryption 

intermediate session key a** is then computed in exponen- module. 

tiator 26 utilizing a known exponentiation algorithm such as ^g^jn^ however, the selection of the initial integer k' with 

the "square and add" algorithm. Because the majority of the a relatively low Hamming weight reduces the computational 

binary digits are zero, the exponentiation is relatively quick time to obtain the intermediate session parameter and sub- 
and the intermediate session parameter is obtained. 15 sequent mathematical combination with the secret value 

The correspondent 12 then retrieves from a table 28 a yields a session parameter whose multiplying value k has the 

precomputed value of an element y which is of the form a*. requisite Hamming weight. 

The integer i is a random integer and as such the Hamming ^^^^ ^.^^ jt,e use of a relatively low Hamming weight 

weight can be assumed to be in the order of 50%. 'I^he table the integer k' is masked by the combination with a 

28 containing the value of i and the correspondmg value of random integer having a Hamming weight greater than the 

Y are maintained securely. predetermined value. 

llie secret value of y and the intermediate session param- situation where the eUiptic curve cryptosystem uses 

eter (x at are multiplied in arithmetic processor 30 to anomalous curve, then exponentiation may be obtained 

provide a session parameter a "'-a . The multiplication of ^y a square and add algorithm, 

two components may be performed relatively quickly and * r u r . • u • L^ir^ a - u- u n 

. ^ , k u . A • t A further embodiment is shown in MG, 4 in which like 

therefore the session parameter a may be computed in real i t, u j . j . 

^.^^ ^ r reference numerals will be used to denote like components 

..... with a prefix 1 added for clarity. In the embodiment of FIG. 

A! the same time, the value k which is equal to i+k is ^ additional terms are introduced in to the computation of 

computed in the arithmetic processor 30 and used to encrypt 30 the integer k to provide enhanced security. The integer k is 

or sign the message M m the encryption module 18. Hie ^^^^^ ^^^^ combination of a low Hamming weight 

message M and the signature are transmitted to the recipient generated by integer generator 120 %vith the varying 

14 over the communication channel 16 together with the ^^^^ ^^^^^^ f^^^ additional integers k^, k^, k^ to have the 

session parameter a . The recipient 14 then decrypts the ^^^^ 

signed message using the session parameter a* and com- 

pares the content of the decrypted message with the trans- k=k'+k%+k\+k"o 
mitted message to ensure that they are the same. 

The utilization of the relatively low Hamming weight for Similarly, 
the integer k' does not render the session parameter a* 

vulnerable, as the secret value v will have an adequate >n 

Hamming weight. Accordingly, the Hamming weight of the c l d^- 

integer k will also be adequate for security purposes. -j^e integers k^, k^, and k^ are stored in a lookup table 128 

The technique may also be used in elliptic curve encryp- with precomputed corresponding values of k^P, k^P and 

tion systems as illustrated in FIG. 3 where hke components k^p, in the example of FIG. 4, the integers k^,ki, k^^ arc 
arc identified with like reference numerals with a suffix *a* 45 retained as separate sets of values although as will be 

added for clarity. With an elliptic curve encryption system, explained below a single set of integers may be used. The 

the group element used as a public key corresponds to a values of the integers in table 128 are indexed against a 

point kP which is obtained from the k-fold addition of a reference term t, typically the output of an incrementing 

generator P. The underlying field operation is addition and counter 32 that increases at each generation of the session 
therefore the group element kP is representative of expo- 50 key k. 

nentiation of the generator P to the power k. The security of in the preferred embodiment, the term k% is a constant 

the public key kP results from the addition of points on the term corresponding to the integer retrieved from lookup 

curve or by the multiplication of a point by an integer which table 128 for the given value of t. The terms k*^, k*^ are 

is equivalent to multiple additions. provided by integers k^ and k^, respectively that are modi- 
The addition of a pair of points on the curve is relatively 55 fled by the reference term t so as to vary for each generation 

complex and the requirement for multiple additions ofikets of the session key k, 

some of the advantages from the inherently greater strengths The term k*^ is a linear term of the form t.k, and the tenm 

of the elliptic curve encryption systems. k*^, is of the form 2'.k£,. As t varies, the values of k^, k^ and 

To facilitate the use ofsuch encryption systems, an integer k^^ will vary from the lookup table and the corresponding 
k' is selected by generator 20a having a Hamming weight 60 value of k*^ and k*^, will vary with the value of the 

less than a predetermined value, which would normally be reference term t. 

considered insecure. The intermediate session parameter k'P In this embodiment, the value k therefore has the form 

is computed by a k' fold composition of the point P, ie. by k=k*+k(^+tkj[^ +2'k£, where k^, k^^^ and k^,^ are the values of 

k' additions of an initial point P in the elliptic point accu- k^, k^ and k^ at time t. 

mulator 26a. 'llie relatively low Hamming weight reduces 65 In operation therefore, as shown schematically in FIG. 4, 

the point additions necessary to facilitate computation of the upon initiation of the generation of the session key k, a value 

value k'P. of k* is selected from generator 128 with a low Hamming 



04/05/2004, EAST Version: 1.4.1 



us 6,3: 

5 

weight and the corresponding value of k'P is computed by 
exponentiator 126. The output t of counter 32 is used as the 
reference term for the lookup table 128 to retrieve corre- 
sponding values otk^y k^, k^, and the related points k^P, k^^P, 
and kjr,P. 

The term k^^P corresponds to the terra k*(-P and therefore 
may be added to k'P in arithmetic processor 130. The term 
k*jr, is obtained from a t fold addition of the point k^^P 
retrieved from table 128 and added in processor 130 to the 
value of k'P+k^-P. 

Similarly, the term k*^? is obtained from a 2' fold 
addition of k£>P retrieved from the table 128 and added to the 
previous value to provide the seSvSion key kP. Likewise the 
value of k can be obtained from addition of k', k^., k*^ and 

It will be appreciated that each of the additions involves 
the addition of a pair of points on an elliptic curve. The 
computation of k*i? and k*£>P may be obtained relatively 
easily using successive doubling of the point or substitution 
in the binary representation of the value of t. 

In addition, the use of k*^, k*^ and k*^^ may be permuted 
as successive signatures are computed so as to introduce 
additional complexity. 

The value can be chosen with a suitably low Hamming 
weight. Similarly, values of k^ or kjr, may be chosen to have 
a relatively low Hamming weight if preferred for ease of 
computation but it is preferred that k^- has a satisfactory 
Hamming weight to provide adequate security at t«o. In 
general, however, it is preferred that each value of k^^, k^ and 
k^, has an adequate Hamming weight for computational 
security. As described below, the computation required from 
signature to signature may be reduced so that it is preferred 
to maintain the value of k^ and k^ above a predetermined 
level. In the above example, it has been assumed that the 
values of k^-, k^y and k^, have been selected from different 
sets of values. However, the values could be selected from 
the same table using a predetermined permutation of values 
or could be the same integer used in each term to simplify 
computation. 

Similarly, the form of k could include additional and/or 
different terms to introduce non-linearity in addition to the 
constant, linear and doubling terms described and complex- 
ity and could in fact include additional functions such as the 
Frobcnius operator in the compulation of k when appropri- 
ate. The additional tenns are chosen to provide case of 
computation and a final Hamming weight above a predeter- 
mined value that is considered computationally secure, 

A further algorithm for determining successive values of 
k and kP is shown in FIG. 5. 

Assume a form of k as described above, such that 

k=t'=kc+tk,+2to 

and 

Initially, the values of k^, k^ and k^, and corresponding 
values k^P, k^P and k^^P are stored in registers 34. 
'Hie new value of k at time t is k'(t)+k"(t) 

where 

k'(t)-kc+tki+2'ko. 

k'(t) is the new integer with a low Hamming weight gener- 
ated by generator 220. 

To compute a new value of k, the value of k-'(t) is 
computed in arithmetic processor 230 using the values 
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Stored in the registers 34. The resultant value of k"(0 is 
added to k'(t) to obtain the new value of k. 

To facilitate computation of the next value of k, ie. k(t+l), 
the computed values of k"(t); 2'kjr) together with k^ and k^ 
5 arc stored. 

To obtain k(t+l), it is necessary to obtain k*(t+l) and 
generate k"(t+l). This can be readily achieved using the 
stored values. 

= ikc + tkL+2'kD)-*-2'kD +Jt/, 
= r (0 + 2'ko + ki. 

15 

Each of these terms is stored in registers 34 and can 
readily be retrieved to provide the value of k"(t+l) which is 
then combined with k'(l+l) to provide the new k at lime 
(t+1). 

20 The registers 34 are updated so that the value of k"(l) is 

replaced with k"(t+l), the value of kj^ retained and the value 

of I'kr, replaced with 2^'*'>k^. 

The next value of k at time (t+2) can then be obtained in 

a similar manner. 
25 A similar procedure is available for computing the value 

of k(t+l)+P. 

The values of k"(t)P, kjV and 2^^P are stored in registers 
34. 

k'(t+l)P is obtained by multiple point additions in the 
30 elliptic point accumulator 226 as before. 

The value of k"(l+l)P is obtained by computing 

k"(ty+lktP+2'koP- 

Each of these terms is stored in the registers 34 and 
35 readily retrieved. 

These terras are updated by corresponding terms for time 
(t+1) and to facilitate this, the point 2'kjr>P is first doubled to 
provide 2^''^^\j^P. ITiis is then stored and also added to kj^P 
and k"(t) to obtain k''(t+l)P. Again this is stored and also 
40 added to k'(t+l)P to give the new value of k(t+l)P. 

The compulation k"(t+l)P is therefore achieved with 1 
point doubling and 3 point additions which in combination 
with the low Hamming weight of k' leads to a very efficient 
generation of the system parameters. 
45 As noted above, additional complexity may be introduced 
by permuting the registers containing the related pairs of 
stored value for successive generation of the session param- 
eters k and a*. 

In summary, the generation of a session parameter is 
50 facilitated by utilizing a low Hamming weight integer for 
ease of computation and combining it with a precomputed 
value or set of values to mask the low Hamming weight. 
Additional complexity may be introduced by providing 
non-linear terms in the set of values and/or by permuting the 
55 set of values from signature to signature. In this way, the 
successive session values are resistant to attacks but the 
computations may be performed efficiently. 

It will be appreciated that the above compulations may be 
performed on an integrated circuit or executed in software 
60 on a general purpose computer depending upon the particu- 
lar application. 

The embodiments of the invention in which an exclusive 
property or privilege is claimed are defined as follows: 
1. A method of obtaining a group element for use as a 
65 public component of a public key encryption scheme and a 
corresponding private key k, said public component corre- 
sponding to a k-fold composition of a generator of that 
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group, where k is an integral value having a Hamming 
weight greater than a predetermined value, to provide a 
requisite level of security, said method comprising the steps 
of: 

i) selecting an integer k' which has a Hamming weight less 5 
than said predetermined value; 

ii) performing a k' fold composition of the generator to 
provide an intermediate session parameter; 

iii) combining said intermediate session parameter with a 
secure value y derived from an i fold composition of the 
generator where i is an integer having a Hamming 
weight greater than said predetermined value to obtain 
said group element; and 

iv) combining said integers k* and i to provide a corre- 15 
sponding private key component k, 

2. The method according to claim 1 wherein said secure 
value is prccomputed and maintained secret. 

3. A method according to claim 1 in which said group is 

a multiplicative group of integers mod p. 20 

4. A method according to claim 3 wherein said intenme- 
diate session value and secure value are combined by 
multiplication. 

5. A method according to claim 1 wherein said group is an 
elliptic curve over a finite field. 



6. A method according to claim 5 wherein said secure 
value and said intermediate session value are combined by 
performing an addition on an elliptic curve over a finite field. 

7. A method according to claim 1 wherein said secure 
value is obtained by generation of a random number as an 
exponent. 

8. A method according to claim 7 wherein said random 
number and resultant secure value are stored and extracted 
for combining with said intermediate session value. 

9. A method according to claim 1 wherein said secure 
value is derived from a combination of terms, each of which 
has a value derived from an integral number of compositions 
of said group element. 

10. A method according to claim 9 wherein at least one of 
said terms introduces a non linearity to successive secret 
values. 

11. A method according to claim 10 wherein said one of 
said terms includes a time varying integer in said composi- 
tion. 

12. A method according to claim 9 wherein said terms are 
permuted amongst themselves after each successive signa- 
ture. 

13. A method according to claim 12 wherein at least one 
of said terms introduces a non-linearity to successive secret 
values. 
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